8020001 en

Instead of adding additional costly layers of legacy equipment and highly skilled IT resources to support the growing number of devices and services in the campus network, enterprises ne

CAMPUS LAN DESIGN GUIDE

Design Considerations for the High-Performance

Campus LAN

Table of Contents

Introduction 4

Campus Overview 4

Scope 5

Campus LAN Design Considerations 5

Infrastructure Solutions 6

Campus Architecture Overview 7

Layered Approach 7

Benefits and Challenges to the Layered Approach 8

A Network Revolution 8

Implementation: Access Layer 8

Access Layer Design Considerations 9

Wired Port Connectivity 9

WLAN Connectivity 9

PoE 9

Virtual LAN and Spanning Tree Protocol 10

Using Layer 2 versus Layer 3 at the Access Layer 10

Considerations for Implementing Unified Communications 11

Threat Containment 12

Modular Chassis Technology 12

Access Layer Solutions 13

Scalable Access Solutions with Virtual Chassis Technology 13

Wireless Solutions 15

Aggregation Layer 16

Aggregation Layer Design Considerations 16

Segmentation/Virtualization 16

Distributed Switching 16

Aggregation Layer Solutions 17

Scalable Aggregation Layer Solutions 17

Core Layer 19

Core Layer Considerations 19

Core Layer Solutions 19

High Performance Core Layer Solutions 19

Is the Core Layer Essential? 20

Challenges and Benefits 21

Consolidating the Core and Aggregation Layers 21

High Availability in the Campus Network 22

Device-Level High Availability 22

Link-Level High Availability 22

Redundant Links: Square versus Triangle 22

Virtual Chassis Technology 23

Link Aggregation Groups 23

Redundant Trunk Group 24

Table of Figures

Figure 1: Highly available campus LAN configuration .7

Figure 2: The layered approach 7

Figure 3: Access layer at a highly available campus LAN 8

Figure 4: Flexible and roaming wireless access solutions 9

Figure 5: Layer 2 versus Layer 3 at the access layer 10

Figure 6: Virtual Chassis technology 13

Figure 7: Reducing CapEx and OpEx with Virtual Chassis technology 14

Figure 8: Aggregation layer in a highly available campus LAN 16

Figure 9: Distributed switching at the core/aggregation layer 17

Figure 10: Core layer in a highly available campus LAN 19

Figure 11: Benefits of the core layer 20

Figure 12: Core layer collapsed into the aggregation layer 21

Figure 13: Homing: square versus triangle 23

Figure 14: Link aggregation group (LAG) 23

Figure 15: Virtual Chassis and LAG 24

Figure 16: Best practices link redundancy 25

Figure 17: Campus security architecture 26

Figure 18: Enforcing endpoint health policy for all user types 27

Figure 19: Enforcing security policies between different departments, resources and services 28

Figure 20: Dynamic ARP Inspection (DAI) 29

Figure 21: NSM Device Management and Device Auto Discovery 30

Figure 22: NSM Topology Discovery 31

Figure 23: NSM Template Based Configuration 32

Figure 24: NSM Event and Log Management 33

Figure 25: Easy-to-use graphical J-Web interface 34

Best Practices for Campus Link Redundancy 25

Network Software HA 25

Security 26

Unified Access Control 27

IEEE 802.1X 27

Ubiquitous Access 28

Segmentation 28

Access Control Lists 28

Additional Access Security 29

Operational Simplicity and Unified Management 30

Unified Management with Juniper Networks Network and Security Manager (NSM) 30

NSM Benefits 33

Remote Configuration and Management with Juniper Networks J-Web Software 34

J-Web Benefits 34

Summary 35

About Juniper Networks 35

IntroductionThe corporate LAN has evolved from a passive background business component to a highly active, highly visible core asset that enterprises rely on to support day-to-day operations critical to their market success Today’s network is a strategic instrument that must be accessible any time from anywhere—simultaneously offering fast, secure, reliable services at scale regardless of location It has also evolved from traditional client/server data flow support to peer-to-peer flow support, and it must also accommodate an increasing number of devices and services In addition

to centralizing applications and data centers, enterprises are consolidating servers and data centers to simplify operations and reduce costs Existing campus infrastructure solutions cannot meet the requirements needed to provide secure and reliable high-performance access for campus users, nor do they provide the centralized management capabilities critical for reducing costs and streamlining operations

A new campus LAN design that meets campus security, connectivity, and performance challenges while enabling key IT initiatives is needed It also must scale, offer operational simplicity, and flexibly accommodate new computing trends without an entire redesign

Campus OverviewThe term campus, when used in this document, refers to a main enterprise location consisting of one or more buildings

in close proximity at the same locale A campus is usually, though not necessarily, the corporate headquarters or a major site A multi-floor office building housing an enterprise, a corporation with several buildings in an office park complex, and the sprawling facilities making up a university are all examples of a campus All buildings and floors

on the campus are connected to shared resources and services in a data center, which may or may not be part of the campus, via a campus LAN or WAN connection The campus may also be connected to remote locations such as branch and regional offices via a WAN

As most business processes are carried out online, any campus LAN downtime or inefficiency has a negative impact

on the corporate bottom line Secure, high-performance, highly available LAN services are crucial to ensure that each campus facility is always online so that business productivity and customer satisfaction are maximized This document focuses on the challenges and considerations facing today’s enterprise so that they may plan and create a LAN meeting those requirements

The campus LAN is made up of three main layers: the access layer, the aggregation layer, and the core layer Each layer, covered in more detail further in this document, provides a set of services to the enterprise that require a series of considerations and address a set of challenges

Services Needed in the Campus LANThe campus LAN must provide the following high-level services to optimize efficient business operations:

• LAN Connectivity—The campus infrastructure must provide secure wired and wireless LAN connectivity for an increasing number of IP devices such as computers, telephones, PDAs, surveillance cameras, smartphones and more

• Security—Security is critical to all campus LAN services Access to networks and applications must be open and pervasive, yet remain secure and controlled Today’s networks not only need to effectively handle unmanaged devices and guest users attempting network access, they also need to address support for unmanageable devices, post admission control, and application access control, visibility, and monitoring Key security components and policies include:

- Policies ensuring Quality of Service (QoS)

- Mitigating denial of service (DoS) and distributed denial of service (DDoS) attacks and threats

- Ensuring that the organization meets compliance criteria All security policies should be centrally managed and remotely deployed

• Unified Communication—Deployment of VoIP phones using Power over Ethernet (PoE) technology, as well as video conferencing and web-based training through video on demand (VOD) applications, over the same campus LAN infrastructure as data calls for the logical separation of delivery of these services Implementation of QoS policies is also needed to prioritize and guarantee delivery of latency/jitter, and loss sensitive VoIP and video traffic over data

• High Performance—LAN-like application performance must be provided at all times throughout the campus Moderate oversubscription is common in the LAN access layer but line-rate performance is highly desirable in the LAN aggregation and core layers.

• High Availability (HA)—Downtime is not an option in today’s campus LAN It must offer at least five nines or 99.999 percent of reliability with a goal of approaching the level of service provided by the public switched telephone network (PSTN) HA should be addressed throughout the LAN design Networking equipment and software that

is cost-effective, feature-rich, highly reliable, and offers centralized management capabilities is vital to reduce downtime and operational costs Robust, reliable connectivity is also required In addition, emerging technologies such as unified communications depend on an optimized and always-on, high-performance network from end to end

to function effectively

• Centralized Management—A key service required in a campus LAN is centralized management of all network switches, firewalls, routers, VPN, and intrusion detection and prevention (IDP) devices Centralized management solutions reduce the time and expense required to configure and manage network devices In addition, network traffic can be more easily analyzed with such a system, facilitating network performance optimization

Each of these areas is addressed in more detail in this document and, when appropriate, additional considerations or challenges for a specific service or feature are presented

ScopeThis design guide proposes practices, technologies, and products that help campus architects and engineers design a modern campus LAN

It also introduces issues related to changing campus needs and presents practices, technologies, and design considerations for campus architects and engineers In addition, this guide shows how infrastructure solutions from Juniper Networks® allow businesses to advance the economics of networking through a truly innovative, game-changing operating environment that helps them increase revenue and raise productivity today and into the future Campus LAN Design Considerations

A new campus LAN design is needed as legacy solutions cannot meet these key requirements, nor reduce costs and streamline operations The new LAN design must also scale and accommodate emerging computing trends and additional network services without an entire redesign The following section summarizes some of the trends and technical considerations for designing a modern campus network to address these requirements These considerations are not necessarily specific to Juniper Networks solutions and may be applied universally to any campus network design, regardless of the vendor

Enterprise Computing Trends

In addition to the services previously mentioned, the following trends must be considered in a campus LAN design:

• Proliferation of unified communicationsThe adoption of unified communications including voice, video, and data services is on the rise According to Forrester Research (2006), 46 percent of all companies in North America have installed IP telephony systems and

39 percent use VoIP to communicate with their remote users Such deployments have a direct impact on the performance and high availability requirements of a campus LAN For example, not only must adequate LAN and WAN bandwidth be provisioned, but QoS rules must identify, classify, and prioritize traffic to deliver effective VoIP communication services

high-• Bandwidth-hungry applications

In addition to the increased bandwidth needed for unified communications, many popular business applications such as Oracle, SAP, and PeopleSoft have introduced web-enabled versions that require, in some instances, more than 10 times the bandwidth of their LAN-based counterparts, seriously impacting performance, reliability, and availability Though it’s recommended to schedule data backup to local servers during times of low network usage, it’s possible such network services could be bandwidth intensive

• User productivitySince most business processes are now carried out online, the corporate LAN is a critical component of business growth and innovation Because of that, any LAN downtime or inefficiency negatively impacts the corporate bottom line Conversely, boosting network performance enhances business productivity, according to Information Week (2007) As such, the network must be leveraged with services such as wireless coverage and remote access to maximize productivity.

• Increasing focus on securityFBI/CSI statistics show that 72 percent of all companies surveyed reported at least one security incident in 2006 And there continues to be a proliferation of both internal and external attacks Not surprisingly, a 2006 Forrester Research survey found that 57 percent of all firms consider “upgrading security environment” a top priority As critical business processes become more distributed and unified communications present new vulnerabilities, the need for robust security is likely to intensify User access policies are needed

• Demand for wireless servicesOne of the main drivers of better business decisions is access to key information and resources at all times

Employees of modern business go to meetings with their laptops in tow, expecting wireless access to all of their applications, data stores, resources, and services Not only must wireless service be provided throughout the campus, but it should enable users to seamlessly move across the campus without service disruption, much like roaming cell coverage Such wireless service enables users to access whatever materials are needed to support a presentation or budget forecast, start a download from a centralized server and have it finished by the time they get

to the conference room with their laptop, or talk on a Wi-Fi phone throughout the campus

Wireless service and access must always be secure Different levels of wireless access must be provided for contractors, partners, and other guest users, ensuring not only that the proper level of service is delivered but that access to the appropriate resources is restricted

• Server centralization and data center consolidation

A 2007 Forrester report states that 51 percent of all firms consider server centralization a key priority Gartner (2007) also reports that most enterprise servers operate at 20 percent capacity New technologies like virtualization are needed to better utilize these resources At the same time, most campuses need local servers that require extra security, bandwidth optimization, and traffic prioritization

To further reduce costs, simplify operations, and comply with regulatory guidelines, enterprises are also consolidating data centers According to a 2006 Nemertes Research report, 91 percent of companies interviewed were under compliance constraints and more than 50 percent of the companies had consolidated their dispersed data centers into fewer larger data centers in the last 12 months, with even more planning to consolidate in the next 12 months

In addition to high availability requirements ensuring nonstop operations, centralization raises new latency and security issues Centralized management solutions that help reduce the time and resources devoted to keeping campuses online and operational are also needed

Infrastructure SolutionsThe network infrastructure of today’s campus is no longer sufficient to satisfy these requirements Instead of adding additional costly layers of legacy equipment and highly skilled IT resources to support the growing number of devices and services in the campus network, enterprises need a new, more integrated and consolidated campus solution.Juniper Networks delivers a proven IP infrastructure for the campus that meets these challenges, enabling the performance, scalability, flexibility, security, and intelligence needed to not just meet but increase campus user productivity Juniper Networks offers flexible configurations and price points that meet the needs of all campuses, while delivering high-performance throughput with services such as firewall, Juniper Networks Adaptive Threat Management Solutions, VPN, MPLS, IPV6, and Connectionless Network Service (CLNS)

Figure 1: Highly available campus LAN configurationCampus Architecture Overview

Layered Approach

An enterprise campus LAN architecture may span up to three layers, from desktop devices connected to wiring closet switches at the access layer to the core layer at the center of a large campus LAN The hierarchical topology segments the network into physical building blocks, simplifying operation and increasing availability Each layer within the hierarchical infrastructure has a specific role

Figure 2: The layered approach

• The access layer provides an access control boundary and delivers network connectivity to end users in a campus

• The aggregation layer aggregates connections and traffic flows from multiple access layer switches providing a core enforcement perimeter as it delivers traffic to core layer switches

• The core layer provides secure connectivity between aggregation layer switches and the routers connecting to the WAN and the Internet to enable business-to-business collaboration

This document focuses primarily on how these layers are deployed in the campus network Areas outside of that scope are presented when relevant to the discussion For example, certain campus configurations may collapse one or more layers

M SeriesEX8200 line

M Series

SBR Series

EX8200 lineEX8200 line

ISG Series

SA SeriesAccess Point

OAC

IC SeriesEX4200 lineEX4200 line

EX4200 line

EX2200/

EX3200 line

INTERNET AND PRIVATE WAN HQ

OAC

Ac

ss Layer – 10/100/1000B ASE-T

Ac ces

s Layer – 10/100/1000BAS

E-T

A gg reg ation Layer – 10 GbE F

er

Agg

regation L

ayer – GbE and 10 GbE

LAG F er

Co re Layer - 10 GbE

Co

re L ayer – 10 GbE LA

Benefits and Challenges to the Layered Approach

A multilayered architecture facilitates network configuration by providing a modular design that can rapidly and economically scale It also creates a flexible network on which new services can be easily added without redesign The layered approach also delivers separated traffic, balances load across devices, and simplifies troubleshooting

This three-layered approach traditionally requires additional hardware and can be costly to configure, deploy, and administer for small campuses To account for that, small campuses may collapse one or more layers

Note: This document deals primarily with three-layered LAN designs, though it also introduces a two-layered design with a converged aggregation and core layer Those supporting extremely small campuses may wish to view the Juniper Branch LAN Design Guide for LAN designs that collapse multiple layers

Trying to address emerging bandwidth, throughput, and port density requirements, networks in the past have grown bloated with extra layers of inefficient, ill-suited legacy hardware that not only fails to meet these needs, but also adds considerable management complexity, reduces network availability, and drives up capital and operational expenses

A Network Revolution

A recent entrant into the evolving switching market, Juniper Networks has factored lessons learned and experiences into the development of a new portfolio of Ethernet switch products and network solution designs that address contemporary issues and accommodate future growth These new products are designed to eliminate unnecessary network layers while providing a platform for delivering higher availability, converged communications, integrated security, and higher operational efficiency With these solutions, Juniper Networks simultaneously advances the fundamentals and economics of networking by delivering greater value, increasing simplicity, and lowering the total cost of network ownership

Implementation: Access LayerThe campus access layer provides network connectivity to end users by connecting devices such as PCs, printers,

IP phones, and CCTV cameras to the corporate LAN via wired or wireless LAN (WLAN) access points Access layer switches typically reside in the wiring closets of each floor in each campus facility

Figure 3: Access layer at a highly available campus LANThe access layer provides connectivity, Power over Ethernet (PoE), quality of service (QoS), and security with policy services and network access control

AGGREGATION LAYER

CORELAYER

L2/L3

L2/L3 Switch

L2/L3 Switch

Access Layer Design Considerations

Wired Port ConnectivityAccounting for an adequate number of wired ports for all computers, IP phones, CCTV cameras, WLAN access points, and other IP devices is the first step to addressing port requirements The logical segmentation required and the number of logically separate networks that should share the same LAN must also be determined Access layer switches must be scalable and provide HA features in addition to over-provisioned and underutilized Gigabit Ethernet or

10-Gigabit Ethernet uplinks to aggregation layer switches These considerations help establish what type of hardware configuration is needed

WLAN ConnectivityIdeal for employees meeting in conference rooms or areas other than their offices, as well as contractors, partners, and guests, wireless access must be provided across the campus With the plethora of IP devices available on the market and used in the workforce, especially by unknown guests, a comprehensive security policy must ensure that only trusted devices access the campus network Further, the appropriate LAN resources must be restricted and made available only to those with the proper credentials This is especially true for contractors, partners, and other guests Seamless coverage enabling a user to roam the campus with the same login credentials is also expected

There are two main designs for flexible and roaming wireless solutions:

• Non-controller based wireless access—In this design, an 802.1Q trunk for access point to switch is required Roaming requires spanning at least two VLANs between access layer switches

• Controller-based wireless access—This design uses a virtualized, centralized wireless controller Access point VLANs are placed local to the access switch Roaming does not require spanning VLANs across the campus network

Figure 4: Flexible and roaming wireless access solutions

PoENearly all campuses have IP phones today, most of which require PoE to function Campus facilities are likely to also have PoE security cameras and WLAN devices Accounting for the correct number of PoE ports is vital as the system configuration depends on it Some access equipment doesn’t provide PoE services, so it’s important to make sure to use traditional wall powered IP phones, CCTV cameras, and WLAN access points in those installations In addition

to accounting for the number of PoE ports, it is important to determine the level of power needed for the devices connected to each port Many devices requiring PoE will use up to 15.4 watts, the maximum allowed for class 3 PoE

AGGREGATION ACCESS

TO CORE

Wireless Controller

Wireless VLANs

L2/L3Switch

L2/L3Switch

L2/L3Switch

L2/L3SwitchAccess Point Access Point

However, there are some devices such as security cameras with advanced pan, tilt, and zoom functions and IEEE 802.11n WLAN access points that may need more than 15.4 watts of PoE.

Virtual LAN and Spanning Tree Protocol Campus LANs use VLANs to logically group sets of users, devices, or data, regardless of location, into logical networks through software configuration instead of physically relocating devices on the LAN VLANs help address issues such as scalability, security, and network management

VLANs are in essence Layer 2 broadcast domains that exist only within a defined set of switches Using the IEEE 802.1Q standard as an encapsulation protocol, packets are marked with a unique VLAN tag Tagged packets are only forwarded or flooded to stations in the same VLAN To reach any station not belonging to the same VLAN, tagged packets must be forwarded through a routing device Any switch or switch port can be dynamically or statically grouped into a VLAN Alternately, traffic may be grouped into a VLAN and forwarded through specific ports based on the specific data protocol being sent over the LAN For example, VoIP traffic from a softphone can be segmented from other traffic and put into a VLAN that gets a higher quality of service

• Spanning Tree Protocol (STP)VLANs may create multiple active paths between network nodes, resulting in problematic bridge loops Since the same media access control (MAC) addresses are seen on multiple ports, the switch forwarding table can fail Also, broadcast packets may end up being forwarded in an endless loop between switches, consuming all available bandwidth and CPU resources STP, the IEEE 802.1D standard, ensures a loop-free topology for any bridged LAN STP is designed to leave a single active path between any two network nodes by first creating a tree within a mesh network of connected LAN switches and then disabling the links which are not part of that tree STP thus allows

a network design to include redundant links to provide automatic backup paths if an active link fails—without the danger of bridge loops or the need for manual enabling/disabling of these backup links Each VLAN can run a separate STP instance

• Issues with STPTroubleshooting may be challenging with STP due to complicated routing, incorrect configuration, or improper cabling Since every packet must go through the root bridge of the spanning tree, routing performance with STP can also be suboptimal STP often creates underutilized links and lacks a load-balancing mechanism as well In addition, STP has a slow convergence of up to 30 to 50 seconds after a topology change To combat this, Rapid STP (RSTP) was created, providing sub-second convergence Multiple STP (MSTP), the 802.1s standard, supports multiple instances of STP but also increases configuration complexity

Using Layer 2 versus Layer 3 at the Access LayerAccess switches are configured to use Layer 2 or Layer 3

Figure 5: Layer 2 versus Layer 3 at the access layer

LAYER 3

LAYER 2

L2/L3Switch

L2/L3Switch

WAN Layer

Aggregation Layer

Layer 3 at AccessAccess Layer

L2/L3SwitchLAYER 3

LAYER 2

Layer 2 at AccessL2

Switch

• Using Layer 2 at the access layerUsing Layer 2 at the access layer is the traditional configuration This provides plug-and-play configuration and makes the deployment in smaller networks easier to implement and manage.

There are a number of challenges associated with this option This configuration usually requires STP, resulting in multiple connections, one active and one redundant The demarcations from L2 and L3 with OSPF add multiple fault isolation domains, which add extra complexity in configuring and managing the network Troubleshooting can also

be more difficult in such configurations In addition, convergence in case of a switch or link failure often takes too long to ensure a highly-available campus LAN

• Using Layer 3 at the access layerRouting is enabled on the switch when using Layer 3 at the access layer, but it still provides the capability to put users into different VLANs Layer 3 is more deterministic No Layer 2 loops are created in this design Layer 3 should

be configured in the uplinks from the access switch to the aggregation layers, with Layer 2 configured at the access switch to the devices STP can be enabled to prevent inadvertent loops Or STP can be disabled and bridge protocol data unit (BPDU) protection enabled, making it easier to troubleshoot When STP is disabled, OSPF or other open-standard protocols can be used to provide sub-second convergence For larger or more complex networks, this is a low maintenance solution in comparison to using Layer 2 at the access layer This option is more costly to deploy with legacy network equipment, as Layer 3 usually requires an additional license fee

• RecommendationUnlike competitive products, Juniper Networks solutions provide the ability to deliver either Layer 2 or Layer 3 at the access layer without any added expense, as Layer 3 features are built into the base Juniper Networks Junos®

operating system license with no extra license fees required Instead of STP, Juniper solutions also use standard protocols such as OSPF with equal-cost multipath (ECMP) for rapid convergence LAN designs using Juniper Networks EX4200 Ethernet Switch with Virtual Chassis technology also benefit from Redundant Trunk Group (RTG) protocol as a built-in, optimized replacement to STP for sub-second convergence and automatic, high-performance load balancing And, according to an independent 2007 Lake Partners1 study, operating expense with Juniper Networks solutions can be up to 29 percent lower than competitive solutions Juniper switches with Virtual Chassis technology provide simplified device management as well, equating to lower CapEx and OpEx compared to competing solutions

open-Considerations for Implementing Unified CommunicationsDelivering voice, video, and data on a single network infrastructure offers many cost savings and operational simplicity benefits It lowers communications expense, decreases the overall cost of network ownership, and simplifies network administration and maintenance operations However, a single network infrastructure also presents a number of network challenges including QoS, security, and port configuration requirements

Unified communications have real-time requirements that are not necessary for most data applications VoIP packets, for example, must be efficiently transported throughout the LAN and WAN to ensure high-quality voice communications, even when the network is experiencing high utilization or congestion Simply adding more LAN or WAN bandwidth doesn’t make the network voice-friendly Latency, jitter, and packet loss are common VoIP challenges that must be accounted for with QoS queuing and scheduling to ensure high-quality VoIP communications In addition

to access-based security measures, addressing port density and PoE requirements for IP phones is fundamental to a successful design

1 Quality of service Access layer devices must be able to identify, classify, and queue traffic across the LAN to ensure optimal performance or QoS Once identified, traffic is properly assigned and managed to ensure that each application, such

as unified communications, delivers satisfactory performance across the entire LAN

• Classification and enforcementEach type of data flow on the LAN has different QoS requirements Traditional applications such as Web browsing and email work fine with the best-effort delivery standard on IP networks However, additional requirements must

be met to ensure effective delivery of voice, video conferencing, and other real-time applications Unlike streaming

video, for example, real-time voice data can’t be cached or have lost packets retransmitted since both would add an unacceptable delay and ruin the quality of the communication, resulting in a poor user experience Voice packets, therefore, must be given top priority when creating QoS policies.

IP phones and other communication devices are likely to be spread throughout the LAN in many different physical locations VLANs, as discussed earlier, can be used to identify and segment voice, video conferencing, and data traffic, regardless of location, into logical VLANs so that the appropriate QoS parameters can be easily applied to maintain optimal service for each data flow

To facilitate QoS, data can be classified by a combination of MAC address, IP address, physical port, and protocol For example, a block of IP phones connected to a specific LAN segment could be placed in a VLAN designated for voice traffic based on the IP phone port numbers Link Layer Detection Protocol-Media Endpoint Discovery (LLDP-MED) may also be used to discover an IP phone and automatically place it on a VLAN Or traffic from a softphone can be analyzed at the protocol level, with voice data given top priority regardless of the source port Once the data

is classified with the appropriate Differentiated Services code point (DSCP), it must be queued and scheduled Most important, the same QoS rules must be enforced consistently throughout the LAN and WAN

• Built-in QoSQoS and class of service (CoS) features are built into all Juniper infrastructure, security, and application acceleration solutions All Juniper Networks switches and routers run Junos OS, which comes standard with a full complement

of QoS services Juniper Networks EX Series Ethernet Switches, for example, support eight hardware queues per port and offer a range of policing options from best-effort delivery to enhanced delivery and assured delivery Since the same Junos OS is found across all Juniper router and switch solutions, the same QoS policies can be used throughout the LAN and WAN design for easy and consistent traffic management In addition, ASICs in all Juniper solutions support QoS by processing prioritized data and minimizing CPU load

Note: For more information on VoIP QoS, read Juniper pub# 351113-001 August 2005: VoIP on the WAN: It’s a Matter

of Priorities

2 SecurityImplementing unified communications on the data network increases security exposures that can have serious service impacts Malicious attacks from outside the network and inadvertent attacks within the network must

be prevented New ways of toll fraud and new security risks like eavesdropping are being discovered at an increasing rate Additional points of entry are created; a hacked VoIP system now provides a back door to the corporate LAN Security risks range from viruses, worms, and denial of service (DoS) attacks to unauthorized access Deployment of VoIP solutions, similar to other network appliances, must account for security of the device itself as well as how it can be used to attack the network as a whole Juniper Networks IDP Series Intrusion Detection and Prevention Appliances are recommended to thwart VoIP-related attacks as well as typical intrusions An 802.1X solution should be used to authenticate and manage endpoints via policy-based access For VoIP phones that

ever-do not support an 802.1X client, one can use the MAC-based authentication feature on the EX Series switches to authenticate the phones Using the protocol-specific application-level gateway (ALG) features on all firewalls is recommended to dynamically open and close ports for each VoIP call

Threat Containment

It is vital that the access layer include integrated security features to guard against intruders or other external threats such as DDoS attacks An extra layer of security should be provided by first authenticating users and performing virus checks, then enforcing precise, end-to-end security policies that determine who can access what network resources, as well as QoS policies to ensure delivery of business processes

Modular Chassis Technology

A campus LAN must be able to quickly and seamlessly accommodate growth and new technologies economically from capital, network overhead, and network operational expense perspectives This is often addressed at the access layer via modular chassis solutions

Ideal modular solutions should offer high-density, high-speed ports with optional, cost-effective PoE capabilities Each modular chassis should also offer high-speed uplink connections and provide the same type of HA features found in traditional chassis-based solutions The ideal modular chassis solutions should also configure and manage more than one switch as a single Virtual Chassis configuration, dramatically reducing both capital and operating expense while providing additional HA features

Access Layer SolutionsScalable Access Solutions with Virtual Chassis TechnologyJuniper Networks provides scalable access solutions with true innovation—EX4200 Ethernet Switches with Virtual Chassis technology This solution advances the economics of networking by delivering the HA and high port densities

of a modular chassis in a compact, cost-effective, pay-as-you-grow platform

1 Features and benefitsEach compact EX4200 switch offers either 24 100BASE-FX/1000BASE-X ports, 24 10/100/1000BASE-T ports, or

48 10/100/1000BASE-T ports The 10/100/1000BASE-T platforms offer either full or partial PoE options (partial solutions provide PoE on the first eight ports of the switch; full options provide PoE on all 24 or 48 ports) Each PoE port delivers up to 15.4 watts of power and is compatible with class 0-3 IP phones The EX4200 switch’s built-in LLDEP-MED services help automate and extend the power management of these PoE endpoints as well as assist with inventory management and directories

Each EX4200 Ethernet Switch supports optional front panel uplink modules supporting either four Gigabit Ethernet

or two 10-Gigabit Ethernet ports for high-speed connections to aggregation or core switches These uplinks support online insertion and removal

Figure 6: Virtual Chassis technology

2 Pay-as-you-grow scalabilityJuniper Networks Virtual Chassis technology enables a campus to add as many EX4200 switches as needed to meet its connectivity needs Juniper’s unique pay-as-you-grow model allows a campus to start with a single EX4200 switch (1 RU) and incrementally add up to nine more switches to the Virtual Chassis for a total of 10 switches before starting another Virtual Chassis configuration The switches are interconnected via a 128 Gbps virtual backplane; a Gigabit Ethernet or 10-Gigabit Ethernet uplink module; and a fully loaded Virtual Chassis configuration supporting up

to 240 100BASE-FX/1000BASE-X ports, 480 10/100/1000BASE-T ports, or any combination of the two; plus up to

20 10-Gigabit Ethernet uplink ports or 40 Gigabit Ethernet uplink ports, or any combination of the two

Not only does Virtual Chassis technology lower capital expenses when compared to traditional chassis systems,

it also dramatically reduces operating expenses by enabling any group of interconnected switches to appear on the network and be remotely managed as a single unit Coupled with the incremental, pay-as-you-grow model, the compact form factor of the Virtual Chassis configuration enables the campus to save not only on upfront and recurring rack space usage but also on costly power and cooling fees Small campuses on a budget may consider the Juniper Networks EX3200 Ethernet Switch, which provides most of the same robust features as the EX4200 with the exception of Virtual Chassis technology

EX4200 line EX4200 line

3 Carrier-class reliabilityThe EX4200 switch with Virtual Chassis technology also provides the same high availability features as modular chassis-based systems Each switch supports redundant, load sharing, hot-swappable AC or DC power supplies, as well as a field replaceable, hot-swappable fan tray with redundant blowers, any of which can fail without affecting operations.

Virtual Chassis technology provides unparalleled device and link HA using the virtual backplane protocol and Junos OS Each set of interconnected switches with Virtual Chassis technology automatically takes full advantage of the multiple Routing Engines present to deliver graceful Route Engine switchover (GRES) and nonstop forwarding to ensure uninterrupted operation in the rare event that any individual switch fails For added device and link HA, a Virtual Chassis can be configured

to address any requirements For example, a single Virtual Chassis configuration of 10 switches can be configured instead as two five-switch Virtual Chassis configurations, or in any other desired combination

4 Location independenceAnother key feature of Virtual Chassis technology is that the virtual backplane protocol can also be extended across the optional Gigabit Ethernet or 10-Gigabit Ethernet uplink ports to interconnect switches that are more than a few meters apart, creating a single virtual switch that spans multiple wiring closets, floors, server racks, or buildings Even when separated by long distances, interconnected switches with Virtual Chassis technology can be managed, monitored, upgraded, and otherwise treated as a single resilient switch, dramatically reducing recurring management and maintenance costs

Figure 7: Reducing CapEx and OpEx with Virtual Chassis technology

EX4200line

EX4200line

L2/L3 Switches

Floor 1Floor

Floor 1

Floor

STANDALONE OR STACKABLE DEPLOYMENT

DEPLOYMENT WITH EX SERIES VIRTUAL CHASSIS TECHNOLOGY

50% fewerwiring closets

to manage

L2/L3 SwitchesL2/L3 Switches L2/L3 Switches

EX4200line

EX4200line

5 Reducing CapEx and OpEx

At one-sixth the footprint and less than one-third the cost of the most commonly purchased chassis-based switch offering 48 fiber Gigabit Ethernet ports and four 10-Gigabit Ethernet wire-speed ports, the EX4200 with Virtual Chassis technology represents the new generation of switching

Juniper Networks EX4200 Ethernet Switch comes standard with features that are costly add-ons in competitive solutions For example, the EX4200 includes L3 in the base platform, offers built-in 10-Gigabit Ethernet uplink capability, delivers partial or full PoE, provides built-in redundant power supplies and more in a single cost-optimized platform OpEx savings include the unified Junos OS feature set and remote mirroring capability for full troubleshooting from a central network operations center (NOC), eliminating the need to send IT staff onsite for maintenance, upgrades, and debugging

Not only does Juniper Networks lower CapEx and OpEx by collapsing layers and therefore reducing the number of devices in the network, but Virtual Chassis technology saves on valuable rack space, as well as recurring power and cooling costs Virtual Chassis technology also frees up precious IT budget dollars that can be invested in new technologies that improve business productivity

Note: For a full set of features, benefits, and specifications, please view the Juniper Networks EX4200 Ethernet Switches data sheet

Wireless SolutionsSecure WLAN solutions from Juniper Networks partners Aruba Networks, Trapeze Networks, and Meru Networks are recommended for campuses that wish to provide wireless service Each solution integrates seamlessly with Juniper Networks Odyssey Access Client (OAC), an enterprise-class 802.1X software access client Working with an 802.1X-compatible RADIUS server such as Juniper Networks Odyssey Access Client server or Juniper Networks SBR Series Steel-Belted Radius Servers, OAC secures the authentication and connection of WLAN users, ensuring that only authorized users can connect, that login credentials will not be compromised, and that data privacy will be maintained over the wireless link A specialized version of OAC includes a cryptographic module that has been FIPS 140-2 Level 1 Validated to meet security requirements of government agencies OAC is also an ideal client for enterprises that are deploying identity-based (wired 802.1X) networking—saving time and effort by permitting one time deployment of wireless and wired 802.1X access while also simplifying the user experience and reducing training costs

Aggregation LayerThe aggregation layer, sometimes referred to as the distribution layer, aggregates connections and traffic flows from multiple access layer switches to provide high-density connectivity to the LAN core.

Figure 8: Aggregation layer in a highly available campus LANDue to their location in the network, aggregation layer switches must provide scalability, high density, wire-rate ports, and high availability hardware and software features that deliver carrier-class reliability and robustness Multiple Gigabit Ethernet downlinks from the access wiring closet are needed for redundancy In addition, multiple 10-Gigabit Ethernet uplinks to the core are required

Multiple aggregation layer switches delivering wire-rate performance for deterministic operation are used for redundancy They should run Layer 3 for route summarization, fast convergence, load sharing, and redundant paths.Aggregation Layer Design Considerations

Segmentation/VirtualizationAggregation switches should also support generic routing encapsulation (GRE) tunneling for sending mirrored traffic from remote locations to monitoring devices in the NOC for centralized troubleshooting and analysis, or to build segregated overlay networks without the challenges associated with STP

Distributed SwitchingNew, emerging technologies are causing a shift in how networks are designed Administrators are always looking for ways to eliminate STP without the need to push Layer 3 to the access layer One concept that is garnering a fair amount of attention is distributed switching in the core/aggregation layer Redundant devices are being transformed into single, logical devices (see Figure 9)

CORE LAYER

L2/L3Switch

L2/L3Switch

L2/L3Switch

L2/L3Switch

L2Switch

L2Switch

ACCESS LAYER

AGGREGATION LAYER

INTERNET/

PRIVATE WAN

Figure 9: Distributed switching at the core/aggregation layer

By distributing switching at the aggregation or core layers, the following benefits can be realized:

• No STP (configure link aggregation groups to eliminate STP without L3 to the access)

• Layer 2, active/active topology

• Single managementThe following should be taken into consideration when deploying distributed switching at the core/aggregation layers:

• Lack of spatial redundancy

• Software management—what is the upgrade process?

• High availability within the chassis—if the Routing Engine fails, do you lose half of your virtual switch?

• Switch capacity when part of the system fails—if half of the virtual system fails, can the other half manage twice the load capacity?

• Split brain—what happens when the system is split into two?

Aggregation Layer SolutionsScalable Aggregation Layer SolutionsDue to the performance requirements of a highly available campus, HA features and scalability are increased with a LAN design that includes an aggregation layer The EX4200 or the Juniper Networks EX8200 line of Ethernet Switches can provide the performance and services needed at the aggregation layer

1 High availability

In terms of hardware component redundancy, both the EX4200 and the EX8200 line provide redundant Routing Engines, switch fabric, and redundant power and fans that are essential to a network aggregation device In addition, both platforms run highly modular and resilient Junos OS, providing software HA features such as GRES as well as routing protocol graceful restart and Bidirectional Forwarding Detection protocol (BFD) This preserves forwarding operation and minimizes downtime in the event of a device or link failure The EX Series platforms are also capable

of supporting Junos OS nonstop routing and bridging as well as unified in-service software upgrade (ISSU), as the software roadmap allows

EX4200line

EX4200line

DistributedSwitchingVirtual Chassis Virtual Chassis Virtual Chassis

INTERNET/WAN

CORE

ACCESS